You know how you wait for ages for a bus to come (well, we do in Europe) and then three come along at once? Well it's a little like that in the data privacy arena right now, as far as transfer of international personal data is concerned, anyhow. For years, there has been a reasonably steady and fairly consistent position from the various bodies responsible for this complicated and often confusing area of law, but in the last few weeks we have been hit with a significant change overnight and we are all left wondering where to get off.
The onslaught began with the European Court of Justice (CJEU) declaring that the EU Commission's US-EU safe harbour regime is now invalid (read the judgment here). Thousands of US corporates with subsidiaries in Europe have relied on the safe harbour principles to allow them to transfer personal data from the EU to the US for years and to lose this overnight, without warning, is pretty shocking.
Hot on the heels of that judgment, just as we were all resting on our model clauses solutions, came a position paper issued by one of the leading German federal data protection authorities, which suggested that ALL data transfer to the US should be off limits (see below for details).
Fortunately, this was followed up quickly by a statement issued by the EU Article 29 Working Party (the influential advisory body comprising member state privacy regulators), which restored a measure of calm to the situation (read it here). It said that the safe harbour method is no longer effective but that the model clauses and binding corporate rules can still be used to transfer personal data from the EU to the US for the moment but that we need to keep our eyes open for further guidance on this in the near future. More concerning, though, was that their statement then went on to say that if the safe harbour issue has not been resolved by January 2016, then "enforcement action" may be taken. It is not clear how this would work and who would be targeted first.
Next, came a communication from the EU Commission on the transfer of data from the EU to the US under the Data Protection Directive. Reassuringly, the communication indicated continued support for model clauses and binding corporate rules and confirmed that the Commission's pre-existing decisions on the transfer of data to certain other countries they have previously confirmed offer adequate protection (including Canada, Israel, New Zealand and Switzerland) will be updated in...